"Eliot, Wireless and Server Administrator,
Huh? Would you expect the answer to be "no"?
Yes, that's what it's doing.
You're adding it to the proxied packet. Read the docs.
That's not proxying. The supplicant doesn't do RADIUS.
That's most likely the "extended key" oid nonsense that Microsoft needs.
It works.

Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

It would seem that I have been able to answer my own question for this.
After doing an Ethereal dump, I noticed that the Message-Authenticator
is indeed set to a valid value. This means that is simply isn't
displayed with a value (it gets printed before it is computed).

I also figured out that the Cisco was dropping the authentication
packets because it was sending to a .6.1 address (the virtual IP for
that interface) and receiving the response from the .6.2 address (the
primary IP for that interface). Doh!




Eliot Gable
Certified Wireless Network Administrator (CWNA)
Certified Wireless Security Professional (CWSP)
Cisco Certified Network Associate (CCNA)
CompTIA Security+ Certified
CompTIA Network+ Certified
Network and Systems Administrator
Great Lakes Internet, Inc.
112 North Howard
Croswell, MI 48422
(810) 679-3395
(877) 558-8324

Now offering Broadband Wireless Internet access in Croswell, Lexington,
Brown City, Yale, and Sandusky. Call for details.

-----Original Message-----
From:
freeradius-users-bounces+support8=***@lists.freeradius.org
[mailto:freeradius-users-bounces+support8=***@lists.freeradiu
s.org] On Behalf Of Eliot, Wireless and Server Administrator, Great
Lakes Internet
Sent: Friday, March 24, 2006 3:54 PM
To: freeradius-***@lists.freeradius.org
Subject: Message-Authenticator Attribute


Is the message authenticator attribute properly implemented in
FreeRADIUS? I see this in the code:

/*
* EAP-Message is always associated with
* Message-Authenticator but not vice-versa.
*
* Don't add a Message-Authenticator if it's already
* there.
*/
vp = pairfind(request->reply->vps, PW_MESSAGE_AUTHENTICATOR);
if (!vp) {
vp = paircreate(PW_MESSAGE_AUTHENTICATOR, PW_TYPE_OCTETS);
memset(vp->strvalue, 0, AUTH_VECTOR_LEN);
vp->length = AUTH_VECTOR_LEN;
pairadd(&(request->reply->vps), vp);
}

This indicates that anytime it adds a Message-Authenticator attribute,
it simply sets it to 0. This would explain why I get:

Message-Authenticator = 0x00000000000000000000000000000000

In my proxied packets. However, it could just be that the attributes are
getting displayed before the authenticator is actually computed and that
the authenticator is getting computed and sent out correctly in the
actual packet. I read a post from a long time ago about putting the
attribute (set to any value) in the response list, but that does not
seem to work (unless I did it wrong):

/etc/raddb/preproxy_users:

DEFAULT
Message-Authenticator = 1

Anyway, I think I am running into a problem with not having this in the
packets. I am proxying requests from my Windows XP SP2 supplicant to my
Cisco 1310 AP, then my router running FreeRADIUS, then Microsoft IAS.
When the proxied reply (Access-Challenge) goes out of the router back
towards the Cisco 1310 AP and the supplicant, the Cisco or the
supplicant (can't tell which) is ignoring the reply and then sending a
new request.

Can anyone verify whether the Message-Authenticator attribute is or is
not working properly? If it is not working, is it really likely to be
causing this problem?

Thanks for any help on this.



Eliot Gable
Certified Wireless Network Administrator (CWNA)
Certified Wireless Security Professional (CWSP)
Cisco Certified Network Associate (CCNA)
CompTIA Security+ Certified
CompTIA Network+ Certified
Network and Systems Administrator
Great Lakes Internet, Inc.
112 North Howard
Croswell, MI 48422
(810) 679-3395
(877) 558-8324

Now offering Broadband Wireless Internet access in Croswell, Lexington,
Brown City, Yale, and Sandusky. Call for details.


-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Right, because FreeRADIUS is acting as a proxy -- but it wasn't even a
problem, so I didn't really need to put that in there. Correct me if I'm
wrong, but EAP should be doing Message-Authenticator stuff without me
needing to tell it to add the attribute, right? It seems to be doing
just that.
the
my
Yeah, I suppose I could have worded that a bit more technically
accurate. The supplicant is sending the EAP requests to the Cisco, which
is sending RADIUS stuff to the router running FreeRADIUS, which is
proxying those RADIUS requests to the IAS machine. Sound right now?
back
a
needs.

Since you seem to know something about this, can you either:

A) Explain what the "extended key oid nonsense" is?
B) Point me to some place I can read about it?

I appreciate your help.

Thanks,

Eliot Gable

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Ok, I read the document, but I still do not understand something...

I am proxying the packets from the Cisco through the FreeRADIUS server
to the IAS server. EAP messages are exchanged between the supplicant and
the IAS server; the Cisco AP and FreeRADIUS server do not touch them,
correct? They just do RADIUS stuff and encapsulate the EAP messages,
right? And, if that is the case, then the IAS server and the supplicant
are doing all the TLS stuff. The IAS server obviously supports those OID
extensions. So, shouldn't the supplicant work properly? I mean, we are
not creating a TLS tunnel from the supplicant to the FreeRADIUS server
and another from the FreeRADIUS server to the IAS server -- it should be
from the supplicant to the IAS server, encapsulated in RADIUS, proxied
through the FreeRADIUS server. And, in that kind of setup, the
FreeRADIUS server should not be causing any problems, correct?


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html